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Abstract. We present B1COQ3, a deep embedding of the B system in 
COQ, focusing on the technical aspects of the development. The main 
subjects discussed are related to the representation of sets and maps, 
the use of induction principles, and the introduction of a new de Bruijn 
notation providing solutions to various problems related to the mecha- 
nisation of languages and logics. 
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Embedding a language or a logic is now a well-established practice in the 
academic community, to answer various types of concerns, e.g. normalisation of 
terms and influence of reduction strategies for a programming language or con- 
sistency for a logic. It indeed supports such meta-theoretical analyses as well as 
comparing and promoting interesting concepts and features of other languages, 
or developing mechanically checked tools to deal with a language. 

But a lot of difficulties arise that have to be addressed. First of all, an im- 
portant design choice has to be made between shallow and deep approaches, 
consistently with the objectives of the embedding. Justifying the validity of an 
embedding its correctness and completeness - can also be difficult. Finally, a 
lot of technical details have to be considered e.g. to manage variables. 

We address these questions through the presentation of BiCoq and B1C0Q3, 
two versions of a deep embedding of the B logic in the Coq system. The main 
objective for these embeddings is to evaluate the correctness of the B method 
itself, in the context of security developments; other objectives include the de- 
velopment of proven tools for the B and the derivation of new results about the 
B logic. Yet we focus in this paper on the technical aspects of these embed- 
dings, and explain the need for a full redevelopment between the two versions 
by describing painfully learned lessons. The presentation includes the definition 
of an extended de Bruijn notation with interesting potentialities to solve some 
frequently encountered problems related to the mechanisation of languages. 

This paper is divided into 6 sections. Sections 1-3 briefly introduce Coq, 
the notion of embedding and B. Section 4 presents de Bruijn notations. The 
technical aspect of the development of BiCoq and B1C0Q3 are described in Sec. 
5, considering in particular de Bruijn context management, induction principles, 
techniques to implement maps and new results obtained through an extension 



of the de Bruijn notation using namespaces. Section 6 concludes and identifies 
further activities. 

1 About Coq 

Coq [1] is a proof assistant based on a type theory. It offers a higher-order 
logical framework that allows for the construction and verification of proofs, 
as well as the development and analysis of functional programs in a ML-like 
language with pattern-matching. It is possible in Coq to define values and types, 
including dependent types (i.e. types that explicitly depend on values); types 
of sort Set represent sets of computational values, while types of sort Prop 
represent logical propositions. When defining an inductive type - which is a least 
fixpoint - associated structural induction principles are automatically generated. 

For the intent of this paper, it is sufficient to see Coq as allowing for the 
manipulation of inductive sets of terms and inductive logical properties. Let's 
consider the following standard example: 

Inductive N : Set — : N | ,S:N->N 

Inductive even: N^Prop := evo :even | evi : V(n : N), even even S(S n) 

The first line defines a type N which is the smallest set of terms stable by 
application of the constructors and S. N is exactly made of the terms and 
S(. . . S(0) . . .) for any finite iteration; being well-founded, structural induction 
on N is possible. The second line defines a family of logical types: even is a 
type inhabited by the term evo, even 2 is an other type inhabited by (ev2 Oe^o), 
and even 1 is an empty type. The standard interpretation is that evo is a proof 
of the proposition even and that there is no proof of even I, that is we have 
^(even I). The intuitive view of our example is that N is a set of terms, and 
even a predicate marking some of them, defining a subset of N. 

2 Deep and Shallow Embeddings 

Embedding in a proof assistant consists in mechanizing a guest logic by encoding 
its syntax and semantic into a host logic ([2-4]). In a shallow embedding, the en- 
coding is partially based on a direct translation of the guest logic into constructs 
of the host logic; in terms of programming languages, a shallow embedding can 
intuitively be seen as the development of a translation function between two 
langages, that is a compiler. On the contrary, a deep embedding is better intu- 
itively described as the development of a virtual machine: the syntax and the 
semantic of the guest logic are formalised as datatypes of the host logic. Taking 
the view presented in Sec. 1, the deep embedding of a logic defines the set of all 
sequents - the terms - and the subset of provable sequents (the inference rules 
of the guest logic being encoded as constructors of the provability predicate). 

Both approaches have pros and cons. The one we are concerned with, and that 
has led us to choose the deep embedding approach, is accuracy: a deep embedding 



allows for an exact representation of the syntax and semantic of the guest logic, 
whereas a shallow embedding appears to enforce a form of interpretation whose 
validity can be difficult to justify. 

3 About B 

3.1 A Short Description of B 

B [5] is a popular formal method that allows for the derivation of correct pro- 
grams from specifications. Several industrial implementations are available (e.g. 
AtelierB, B Toolkit), and it is widely used by both the academic world and 
the industry for projects where safety or security is mandatory. 

The B method defines a first-order predicate logic completed with elements 
of set theory, a Generalised Substitution Language (GSL) and a methodology of 
development based on the explicit concept of refinement. 

The logic is used to express preconditions, invariants, etc. and to conduct 
proofs. This logic is not typed; a kind of well-formedness checking is described 
but is not integrated within the logic. 

The GSL allows for the definitions of a form of Hoare substitutions [6-8] 
that can be abstract, declarative and non-deterministic (i.e. specifications) as 
well as concrete, imperative and deterministic (i.e. programs): the substitution 
ANY x WHERE x 2 <n<(x + l) 2 for example specifies x^^/n. 

Regarding the methodology, B developments are made of machines (modules 
combining a state in the form of variables, invariants and operations described 
as generalised substitutions to read or alter the state). Intuitively a machine Mq 
refines a machine Ma if any observable behaviour of Mq is a possible behaviour 
of Ma - this encompasses the notion of correctness. Refinement being transitive, 
it is possible to go progressively from the specification to the implementation; 
by discharging at each step the proof obligations of the B method, a program 
can be proven to be a correct and complete implementation of a specification. 

Note that the language represented by the GSL is imperative; at the last 
stage of refinement the machines are written using only the BO sublanguage of 
the GSL and are easily translated e.g. into C programs. 

3.2 Embedding B: Related Works and Motivations 

Shallow embeddings of B in higher-order logics have been proposed in several 
papers (cf. [9,10]) formalising the GSL in PVS, Coq or Isabelle/HOL. Such 
embeddings are not dealing with the B logic, and by using directly the host logic 
to express B notions, they introduce a form of interpretation - which is fully 
acceptable for example to promote the B methodology in other formal methods. 

The objectives of BiCoq and B1C0Q3 are very different, the main concern 
being related to validation. Indeed, the B method is used for the development 
of safe or secure systems (e.g. [11,12]), and it is therefore important to know 
what is the level of confidence that one can grant to a system proven using this 



method, and how to improve this level of confidence. The other objectives are 
the development of formally checked tools for B developments, illustrated by 
a proven prover (not discussed further in this paper but detailed in [13]) and 
the derivation of new results about the B logic. Regarding the latter, it is again 
important to be able to justify that such results are not a consequence of the 
embedding itself, e.g. using an 'alien' trick provided by Coq, and are indeed 
valid for use in a standard B development. 

With the objectives of accuracy and independancy, the translation for a shal- 
low embedding would be difficult to define but also to defend against a skeptical 
independent evaluator. Consider B functions that are relations, possibly partial 
and undecidable: translating accurately this concept in Coq is a tricky exercise. 
A deep embedding makes the justification easier, and has also the advantage to 
clearly separate the host and the guest logics: excluded middle, provable in the 
B logic as well as in BiCoq or B1C0Q3, is not promoted to the Coq logic. Such a 
deep embedding of the B logic in Coq is described in [14], to validate the base 
rules used by the prover of AtelierB - yet not checking standard B results, and 
without implementation goal. 

4 De Bruijn Notations 

There are numerous problems to deal with when mechanising a language (cf. [15, 
16]), one of them being related to the representation of bound variables. Indeed, 
two terms differing only by the names of their bound variables (a-renaming) , 
such as Ax • Xy ■ x — y and \z ■ \x ■ z — x, should be considered as equal but are 
not when using a notation with names (denoted Ay in this paper); one may also 
wonder how to compute the reduction of the substitution [x:=E]Xx-T. 

De Bruijn notations (cf. [17, 18] or more recently [19]) address these problems 
by encoding bound variables as natural values pointing to a binder; they define 
an a-quotiented representation, i.e. terms equivalent modulo a-renaming are 
indeed equal. They also provide a clear semantic to deal with capture phenomena 
applicable between others when considering substitutions. 

4.1 De Bruijn Indexes: The AdBi Notation 

The most known de Bruijn notation uses indexes, that are relative pointers 
counting binders from the variables (the leaves in the tree representing the term). 
The value represents the variable bound by the closest parent binder, as illus- 
trated hereafter (de Bruijn binders are underlined for the sake of clarity): 

A v notation \x-\y-(X +x — y) 

AdBi notation AA(2 + 1 — 0) 

We have chosen here to use the pure nameless notation: the free variable X is 
represented by the value 2, assuming it is the first free variable in the context 
(left implicit here). Such a pointer is said to be dangling as its value exceeds 
the number of parent binders. Another possible alternative is to use the locally 



nameless notation; in this case, free variables are represented by names (and are 
syntactically different of bound variables). We will not consider further this ap- 
proach that requires to give a specific semantic to dangling pointers or to manage 
side conditions enforcing terms to be ground (without dangling pointers). 

4.2 De Bruijn Levels: The AdBi Notation 

Another option when defining a de Bruijn representation is to use levels, dis- 
cussed e.g. in [20]. Levels are absolute pointers counting binders from the root 
of the term; the value then represents the variable bound by the farest parent 
binder, as illustrated here: 

Av notation Xx-Xy-(Xo+x — y) 

A dB i notation AA(2 + — 1) 

Index and level notations only differ in the representation of bound variables. 
Levels ensure a unique representation in a term of a bound variable, whereas 
with indexes this representation depends on the variable position; on the other 
hand, bound levels need frequent renumbering during abstraction or substitu- 
tion whereas bound indexes are never modified. Other pros and cons of these 
approaches will be considered later in the paper to explain B1C0Q3 design choices. 

4.3 Managing de Bruijn Indexes in A-Calculus 

As mentioned, the index representing a given bound variable change with its 
X-height, i.e. the number of parent binders, as illustrated by this example: 

Av notation Xx-(x+Xy-(x — v)Xq) 

AdBi notation A(0+A(l-0)2) 

This makes manipulating AdBi terms by hand rather awkward. It is therefore 
customary to provide standard operators to support index management, either 
technical such as lifting or user-relevant such as substitution. The former is used 
by the latter to adapt terms when crossing a binder, as illustrated here (where 
T denotes the set of AdBi terms, i an index in I = N, t the lifting and [i :=E]T 
the replacement of all occurences of the free variable i in T by E) : 

Td:TT->T:= [i := E] : T->T := 

I XT' =>• X(\w T') XT' => X([x+l:=1 E]T') 

I i' if d<i' theni' + l elsei' | i' if i = i' then E else %' 

|... |... 

Indeed, crossing a binder modifies the A-height, so the index i has to be incre- 
mented to represent the same variable, and similarly dangling indexes of E have 
to be incremented to maintain their semantic as well as to avoid their capture - 
this is the role of lifting. To identify dangling indexes, lifting is parameterised by 
the contextual information d recording the current A-height, left implicit when 
d = (other values of d resulting only from recursive calls for bound subterms). 



This toolbox for A-calculus is completed with operators defining a user- 
friendly representation, as in [18]. The idea is to emulate the Ay abstraction, 
a not so simple transformation in AdBi as illustrated here (capturing X{): 

Ay notation X0+X-1+X2 — * \x-(Xo + x-\-X2) 

AdBi notation 0+1 + 2 -> A(l + 0+3) 

To this end, we define the abstraction function A(i-T) :— A(Abstro i T) with: 

Abstr d (i: I) :¥-►¥:= 

I AT' A(Abstr d+ i (i + 1) T') 

(i'ifi'<d 
I i! => < d if i' > d and 1 = i 

{ i' + l if i! > d and i' ± i 

I ••• 

Here X(i-T) is not the Av abstraction but a function computing the correct AdBi 
term, defining a form of Ay representation (i being an index and T a AdBi term). 

5 A Detailed presentation of BiCoq3 

We now discuss the design choices made for developing B1C0Q3, also addressing 
the technical alternatives and their consequences. From this point, illustrations 
and codes will describe the B logic as encoded in Coq, instead of the A-calculus 
considered up to now; dotted notations will represent B logical operators in Coq 
(e.g. -1 is the Coq negation and ^ the embedded B negation). 

5.1 Embedding the Syntax 

Using de Bruijn indexes. We have chosen for BiCoq and B1C0Q3 to use a 
de Bruijn notation, and have investigated both indexes and levels: two full ver- 
sions of B1C0Q3 have been developed, yet without reaching a general conclusion. 
Indeed for most of our needs, levels are more efficient; they are easier to deal 
with, theorems tend to be more generic and proofs simpler. Consider as a typical 
example the lifting functions for indexes (left code) and levels (right code): 

| d :T-^T:= | L :T~*T — 

AT' A(td+i T') I AT" A(| L T") 

1 if d<i' then i'+l else i' j i'=>i' + l 

|... |... 

As mentioned in Sub. 4.3, f d requires a contextual parameter to identify dangling 
indexes, bound indexes being never modified. On the contrary its AdBi equivalent 
t L increments all levels, so this parameter is not required and theorems about 
lifting arc not specialised according to its value. 

Our final (and late) choice is however to use de Bruijn indexes. Indeed com- 
plex results in our developcmcnt require as a proof tool the definition of paral- 
lel A- substitutions providing an alternative encoding of standard operations on 



terms (such as lifting). This is feasible with AdBi, those operations being similar 
to substitutions in never modifying bound indexes, but not in AdBi- We there- 
fore consider that whereas de Bruijn levels are simpler to use, there is a clear 
advantage for de Bruijn indexes when dealing with advanced techniques related 
e.g. to term transformations under binders detailed later in this paper. 

Representing B terms. Given a set of identifiers J, the B logic syntax defines 
predicates P, expressions E, sets S and variables V as follows: 

P := PAP | P^P | -,P | MV-P | E = E | EES \ [V:=E]P 
E := V S | E^E | JJ. S | [V:=E]E 

S := BIG j ^ S SxS | {V\P} 

V ■- I i v,v 

In this syntax, [V := E]T represents the (elementary) substitution, V\,V2 a list 
of variables, E\ i— » E2 a pair of expressions, JJ- and -ft- the choice and powerset 
operators, and BIG a constant set. Other connectors are standard, and new 
connectors are defined from the previous ones, P^Q as P=>Q A Q=^P, PVQ as 
-.P^>Q, 3 F-P as -.VV—P, 5CT as SefrT, etc. 

The B syntax is formalised in Coq by two mutually inductive types with the 
following constructors 3 , I being the set of indexes (i.e. N): 

P := PAP I P^>P j ^P I VP I E=E I EGE 

E := xl j E E JJ.E 17 1>E | ExE £ EiP > 

P represents B predicates and E merges B expressions E, sets S and variables V 
to enrich the B syntax that is too strict (e.g. i?eJJ.(f|- S) is syntactically invalid 
in standard B). In the rest of this paper T = PUE denotes the type of B terms. 

fi represents the constant set BIG, x unary de Bruijn variables (using Xi to 
denote the application of constructor \ to i:T). The B binders VV-P and {V^|P} 
are respectively represented by the constructors V and ill, that are raw de 
Bruijn binders (we therefore use the underlined notation, the dotted notation 
V and {|} being reserved for a uscr-fricndJy notation, cf. Sub. 4.3). Using de 
Bruijn indexes, they have no attached names and only bind a single variable - 
binding over list of variables being eliminated without loss of expressivity 4 . The 
constructor 1 i i is further modified to keep in the syntax definition only well- 
formed terms (cf. Sub. 3.1). Indeed, the well-formedness checking in B requires 
comprehension sets to be of the form {x \ i£ S A P} with x not free in 5\ Both 
constraints are embedded in our syntax. The comprehension set constructor has 
two parameters, the left one being an expression representing S and the right one 
a predicate representing P; the non-freeness condition is ensured by considering 

3 This is a slightly simplified presentation of B1COQ3 focusing on relevant aspects. 

4 Remark by the way that the notation {Vi, V2 \ Vi, V2 € Si x S2 AP} used in [5] is 
an example of syntactically invalid term confusing the expression x 1— > y with the 
variable x,y, whose 'correct' version {Vi,V2 | V\ 1— > V2 € Si XS2AP} is not well-formed. 



this constructor as a binder only for its right parameter 5 . This bridges the gap 
between syntactically correct terms and well-formed ones. 

Note finally that we do not represent B syntactical constructs [V := E]T 
(elementary substitutions); this will be justified later in this paper. 



5.2 De Bruijn Management: Improving Context Awareness 

We ease the use of the de Bruijn notations by providing functions, as in Sub. 
4.3. First of all, lifting is adapted to our constructors - noting that as i. i 1 does 
not bind its left parameter, the left A-hcight is not incremented: 

T d :T^T:=VP' ^V(| #1 P') 

I E'lP' I =► 1 Td E'LUi P' l 
| xv x( if d<i'theni' + l elsei') 

| . . . . . . (straightforward recursion) 

We also define abstraction functions, but with additional subtle changes: 

Abstr d (i:I):T^T := VP' y(Abst rd+ i (td i) P') 

| L E'LP' I { Abstr d i E' I Abstrd+i (Td i) P' l 
| xv X (if * = *' then d else \ d i) 

| . . . => . . . (straightforward recursion) 

Vi-P:= V(Abstr i P) 3i-P:=^(Vi-^P) {i: E j P} :={ E i Abstr i P > 

Compared with the abstraction function defined in Sub. 4.3, it is important to 
note the difference w.r.t. the A-height parameter d. We do not increment indexes 
anymore but we lift them; furthermore when we lift an expression, we ensure that 
we use d instead of the default value 0. This does not change the result: applying 
n times the function jo yields exactly the same result as applying successively 
to, Ti) • • • ! Tn-i ~ benefits are not computational but logical. Indeed we have 
(painfully) discovered that a stricter discipline in managing contexts is a very 
good practice, easing the expression of theorems as well as their proofs. In fact, 
this discipline leads to generalise the A-height parameter to functions that don't 
need it. For example, deciding if a variable appears free in a term does not require 
this parameter (left code), but proofs are easier by adding it and using it to lift 
the variable parameter (right code): 

Free(i:I):T-»B:= Free d (i:I) :T^B:= 

VP' Free (i+1) P' \ VP' =>> Freed+i (td i) P' 

i E'lP' 1^ Free i E' V Free (i + 1) P' \ I E'lP' >^ Freed i E' V Freed+i (td i) P' 
| xv =>i' = i I Xv i' = i 

| (straightforward recursion) | ...=>... (straightforward recursion) 

Generalising the A-height parameter and using it ensures an explicit management 
of the context, a form of weak typing useful for complex proofs. 



5 Similarly consider the \x:T-E notation in simply- typed A-calculus; the A captures 
x in E but not in T, binding only one of its parameters. 



We also define additional functions (not described in Sub. 4.3) to deal with 
the B syntactical constructs [V:=E]T not represented in our syntax. It is our 
view that these constructs are introduced early in B only for expressing inference 
rules such as the V-elimination (P h VV-P — > P h [V:=.E]P), that is a form of 
application followed by /3-reduction as in standard A-calculus; there is no reason 
to enforce this operation to be the B elementary substitution defined by the 
GSL... Neither do we represent the application in our syntax, as in standard 
formalisations of A-calculus: representing application (and /3-reduction either as 
an external or internal operation e.g. using the explicit substitution approach [21, 
22]) is interesting for example to study normalisation strategies, but this is not 
relevant in our case. We encode directly such elimination rules, i.e. application 
followed by /3-reduction, as an external operation, through application functions 
in Coq denoted T@ V E and T@qP, one per binder 6 : 

App d (£:E) :T^T := VP' => V(A PPd+1 (U E) P') 

| 1 E'lP' I => { App d E E> I A PPd+1 (U E) P' I 

{Xi'-i ifd<i' 
E if d = i' 
Xv if d > i' 
| . . . => . . . (straightforward recursion) 

T@ V S := match T with VT' => App„ E T' 

T@ {} E := match T with iE'\T' 1^ EeE' AApp () E T' 

The V-elimination can then be written Ph W-P^Ph (yV-P)@yE. As abstrac- 
tion, application and substitution functions are such that the following properties 
hold (the left one being valid only after generalising the A-height parameter to 
the substitution function), our rule is equivalent to the standard one: 

[i:=_B] d r = App (J £;(Abstr (i ir) or more simply [i:=E\T = (Vi-P)@ V E 

The point is that we do not consider substitution as primitive. The standard 
definition of /3-rcduction \x-T@E -^p [x := E]T describes the semantic of ap- 
plication using substitution; in B1C0Q3 on the contrary application is directly 
defined and the substitution is a composite operation. Note also that we can 
write App d \i (Abstr^ iT)=T, or more simply (Vi-P)@vXi —T, to emphasise 
that application is the reverse of abstraction 7 . 

5.3 Embedding the Inference Rules 

Having formalised the B syntax as a datatype, the next step is to encode the B 
inference rules as the constructors of an inductive provability predicate defining 
a dependent type. We denote P h P the Coq type of all B proofs of P under 
the assumptions P; if it is inhabited then P is provable assuming P. Note that 
-■(P h P), i.e. T h P is an empty type', is different from P h -\P. 

6 These functions only apply to terms starting with the appropriate binder; the par- 
tiality is encoded in COQ by an additonal proof parameter left implicit here. 

7 This result commutes, Abstrj i (App d \iT)=T provided that Freed i VT = _L. 



Thanks to the use of the user-friendly functions described in Subs. 4.3 and 
5.2, the constructors look very much like the standard B rules 8 . The translation is 
straightforward, merely a syntactical one, limiting the risk of error, as illustrated 
here (where V\r means that V does not appear free in P): 

rh p^rhQ^rh paq 

The main divergence is a correction of the definition of the cartesian product. 
Indeed, beyond minor syntactical problems, BiCoq has also pointed out B logical 
oversights; analyses have shown that the following results, presented in [5] as 
theorems, are in fact not provable with the standard B inference rules 9 : 

I- Ev^Fx = E 2 ^F 2 => E x = E 2 A Pi = F 2 
h Si C S 2 A Ti C T 2 Si x Ti C S 2 x T 2 

To our knowledge, this was not known by the B community - whereas imple- 
mentations of the B method correct this flaw, consciously or not. The flawed rule 
h {E^F) e (SxT) <^ (EeS)A(FeT) has therefore been replaced in BiCoq by: 

r h E- L ^E 2 =E 3 ^E 4 -> r h E- L =E 3 A h E 2 =E 4 

ii,i 2 ^Ee(E 1 xE 2 )^i 1 ^i 2 ^T\-3 ii-ii€.EiA3 i 2 -i 2 eE 2 AE=i 1 ^i 2 <&Ee(E 1 xE 2 ) 
5.4 A Generic Induction Principle 

The definition of an inductive datatype in Coq yields automatically the associ- 
ated structural induction principle. This principle is relevant to prove structural 
properties such as those about freeness, but not to prove semantical results. 

Indeed, it identifies T as the predecessor of VT, i.e. that proving P(T) by 
structural induction requires proving a subgoal of the form P(T') => P(VT'). But 
using de Bruijn indexes this approach is not appropriate: 

de Bruijn indexes 3(1*0>2) Y(3(l*0>2)) 
Natural notation 3z-Xq*z>X 1 Wy-3z-y*z>Xo 

The two de Bruijn terms are related structurally, but not semantically because 
of the unmonitored shift of the context modifying free variables representation. 

To address this problem and some others, numerous induction principles 
were derived in BiCoq : (weak) structural induction, semantical induction, strong 
induction based on a measure for a given type or for mutually recursive types. 
And this was not yet sufficient for proof induction because the predecessors 
(sub-proofs) of a step in a proof have different (dependent) types. This was 
not considered as a proper approach, because of the number of principles to be 
expressed and proved as well as the absence of genericity of the proof method. 

8 We also benefit from the Notation command provided by COQ to use UTF-8 sym- 
bols instead of constructors or functions names. 

9 Further details are discussed in [13]. 



r \- p rtq . 

TKPAQ is encoded by 

r h p v\r 
rhvv-p 



For B1C0Q3 a general approach has been designed. It combines a single in- 
duction principle based on a measure in N (something rather intuitive) with a 
strategy for conducting the proof defined through a inductive relation (so-called 
accessibility relation). The induction principle is generic, as D is any family of 
types (indexed by T), M any measure and P any predicate: 

V(T:Type)(D:T^Type)(M:V(t:T), D t—>N)(P:\/ (t:T), Dt^Prop), 
(V (t:T)(d:Dt),(V (t' :T)(d' :D t'), Mt'<Mt-> P t') -> P t) ->V (t:T), Pt 

It does not describe what are the 'smaller' terms to consider - this results of 
the selected accessibility relation. Choosing this relation is choosing the strategy, 
the cases in a proof by cases, the predecessors for the entity you are considering. 
Intuitively this defines paths to reach terms in D, and provided the measure is 
compatible with the relation (i.e. predecessors are smaller) it allows to derive 
proofs along these paths. The accessibility relation can be surjective or not in 
D; in the later case it defines a strict subset of accessible terms and can be 
used to prove that any term of this subset satisfies a property. For example a 
semantically relevant strategy can be defined as follows: 

Inductive 17301x1 :T— *Type: = 
\Z x :\/(i:I), E Seia Xi 

|XV:V(P:P)(i:I), E Sc m P~> £ Scm V i-P 

I r {} :V(P:P)(S:E)(i:I), E Scm P^Zscm E^E Sem {i:E j P} 
I . . . (straightforward induction) 

This relation is surjective, i.e. V (T : T), Z's om (T). To prove a property Q for 
any term T, it is possible to apply the generic induction principle (with M the 
standard depth function on B terms) and then to use this relation to make a 
proof by cases using inversion of the Coq term S Scr[L (T). The generated subgoals 
are then semantically relevant, e.g. Q E' ^>Q P' ^>Q {i 1 ': E' \ P'}. 

5.5 About Lists, Maps and Abstract Data Types 

Various syntactical entities arc represented in our embedding, including sequcnts 
and parallel substitutions (used as a technical tool to prove complex results 
presented thereafter). In BiCoq these constructs are implemented through lists, 
but we have explored other alternatives in B1C0Q3. 

Proof environments in sequents are finite sets of predicates. In B1C0Q3 they 
are represented by a specification: signature of functions for membership, free- 
ness, etc. with the appropriate properties as axioms. The specification has the 
advantage to describe only what we need to know, and permits to use efficient 
concrete functions of the target language when there is an implementation ob- 
jective 10 . Yet we do not recommend this approach for a deep embedding, as 
the workload is not significantly reduced, whereas there is a risk to introduce 
inconsistent axioms. 



E.g. B1COQ3 specifies the terms equality to use OCaml's = in the implementation. 



Another possibility adopted in B1C0Q3 is the use of maps to represent paral- 
lel substitutions. They can be described as lists of pairs in IxE provided that 
there are never two pairs (i,E) and {i,E') s.t. E^E', but it is more efficient 
to consider them as functions in I— >E. In our experience, this approach simpli- 
fies the development and the proofs - consider the use of parallel substitutions 
to represent lifting: it is not possible to build a generic lift substitution using 
finite lists, because any index i that can appear dangling in a term T has to be 
modified, whereas a unique (infinite) map can represent lifting for any term. On 
the other hand, maps require additional theorems that may be complex to deal 
with as I — > E is not well-founded. Yet the main results consider parallel sub- 
stitutions applied to a term, for which well-foundedness holds. A more straight- 
forward approach, yet to be explored, would be to reintroduce well-foundedness 
through scoped maps, that is parallel substitutions represented by elements of 
(List I) x (I— >E), the list enumerating the relevant indexes. 

Maps are therefore efficient tools for deep embeddings, but our recomman- 
dation would be to carefully analyse all consequences of using such a design. For 
example, they cannot be analysed extensionally - just another way to say that 
they are not well-founded. That means in practice e.g. that as we need to be 
able to decide whether or not a variable appears free in (one of the predicates 
of) a proof environment P, we cannot encode r as a function in P^B. Indeed, 
being unable to identify a priori predicates of r, testing freeness would require 
examining all predicates in the (infinite) type P. 

5.6 Relationships between B and Coq logics 

Deep embeddings such as BiCoq and B1C0Q3 ensure a clear separation of the host 
and the guest logics, allowing e.g. for a study of their relations as illustrated here 
with the B operators on the left side and the Coq operators on the right side: 







(PhPi) A(PhP 2 ) 






V(P:E), r\-[i:=E]P 


PhPi^Pa 


=> 


r h Pi =*> p h p 2 


p h P1VP2 


<= 


(PhPi) V(PhP 2 ) 


r\-3i-p 


<= 


3 (P:E), Ph [i:=E]P 


P \~ Ei=E/2 


<= 


E\ = E2 



The interesting results are those that are not equivalences. For example disjunc- 
tion (V vs V) is very significant w.r.t. the difference between the classical logic 
of B and the constructive logic of Coq. The excluded middle being provable in 
B, it is always possible to provide a proof of h PV^P; should the disjunction 
being directly translated in Coq we would obtain ( h P) V ( h ^P) for any P, 
that is a proof that the B logic is complete, which of course is not the case. 

Note that these results provide a formal justification for the translation in a 
shallow embedding; one may wonder whether it would be possible to automati- 
cally derive (or extract) a shallow embedding from a deep embedding, provided 
such results. 



5.7 New Results and Enriched de Bruijn Indexes 

Using Standard Indexes. The B inference rules defined in [5] include a con- 
gruence rule: if E\- E = F and Ph [x:=E]P, then Ph [x:=F]P. BiCoq generalises 
this congruence rule to equivalent predicates (extending the syntax with prepo- 
sitional variables). These results, however, are limited to the replacement of un- 
bound subterms; that is, they are for example not applicable to systematically 
simplify r h V i-(-VnP) into P h V i-P as i may appear free in P. 

The substitution operator (left code) indeed mechanically avoid capture of 
variables by enforcing lifting when crossing a binder. So B1C0Q3 also addresses 
a more generic class of congruence rules by defining grafting (right code), which 
compared to the standard substitution allows for the capture of variables in the 
parameter E by never lifting it: 

[i:=E] d :T->T:= [i<E] d : T->T := 

YT' =► Y([Td i:= U E] m T') I VT' => V([td i<E] m T') 

I i' =>■ if i' = i then E else i' i' => if i' = i then E else 1 

|... |... 

Grafting being defined, we have proven (using parallel substitutions) in B1C0Q3 the 
following congruence results for the replacement of sub-terms: 

\~ E\=E% l~~ E\=E% 

r\-[i<E 1 \P4^[i<E 2 \P rh[to£i]£=[!<]£2]-E 

These results extend the classical congruence rules to bound subterms - e.g. 
they justify why it is always valid to simplify a subterm -i-P into P, anywhere 
in a term. But they are not generic enough, as the equality E\ — E2 has to 
be proven in the empty context. So they cannot for example be used to unfold 
a conditional definition such as y 7^ h x/y = raax{z e N | y x z < x}. This 
limitation is not logical but technical. Preventing lifting when crossing a binder 
is necessary to permit captures of variables, but causes a loss of context: free 
variables representation is modified without control. 

Introducing Namespaces. Several approaches were considered to avoid this 
limitation of the congruence results: using names, marking De Bruijn indexes 
during grafting, defining grafting as the composition of primitive operations... 
to finally develop for B1C0Q3 a simpler solution, enriched de Bruijn indexes. 

In its most general form, this notation represents free and bound variables 
by pairs (n,x), the first parameter n being the namespace and the second one 
the index. Binders of the language are themselves parameterised by a namespace 
in which they capture variables. Namespaces can be seen as sorts, used to mark 
binders and indexes 11 . This has limited consequences on the complexity of the 
code of the various operations on terms, e.g. lifting is as well parameterised by 
a namespace and only modifies indexes in this namespace. This representation 

11 Sorts for de Bruijn indexes are considered in [25] but for different reasons, each of 
the two binders of the defined language using its own space of de Bruijn indexes. 



defines a form of names: if there is no binder in a namespace n, a pair (n, x) 
always represents a free variable and can be considered as a name, being never 
subject to computations but dealt with using only decidable equality. 

B1C0Q3 applies these principles in a simplified manner: the namespace set N 
contains (at least) two values, all the binders acting implicitly in the dedicated 
namespace n , the other namespaces being used for eternally free variables. 
Consistently, lifting only modifies pairs of the form (no, a;) in a term, etc. It is 
then possible to prove improved congruence results: 



The side condition _L requires r and E\ = E2 to have no common free variable 
in the namespace no - the technical difficulty is still there, but is now limited 
to a dedicated namespace. Provided we avoid using the namespace no for free 
variables (through an extended form of a-conversion, changing the name of the 
free variables), we got the full expressiveness of our result, e.g. allowing for 
the replacement of conditional definitions. In their most general form, these 
results allow for /^-reduction, unfolding of (conditional) definitions, as well as 
the replacement (rewriting) of equivalent subtcrms under a binder. 

Applicability of the New Results. As noted in Sub. 3.2, it is important to 
justify that such new results are truly applicable to B and are not artefacts prov- 
able only using features of the host logic. We provide the intuitive justification 
by the Curry-Howard isomorphim. The interpretation of the congruence results 
is that provided a B proof of r h E\= E2, if -T _L E\=Ei then there always 
exists a B proof of F h [i<Ei]P <^ [i<\E 2 ]P. In fact, the Coq proof is a program 
building such a B proof, the Ssem accessibility relation used in the Coq proof 
(cf. Sub. 5.4) being the recursion strategy of this program. 

6 Conclusion 

Through the presentation of two deep embeddings of the B logic in Coq, namely 
BiCoq and B1C0Q3, we have discussed techniques to deal with deep embeddings, 
or more generally with complex developments in higher-order logic (HOL) frame- 
works - e.g. combining a generic induction scheme with ad hoc accessibility rela- 
tions or implementing sets with maps rather than lists. One of these techniques 
applicable to language mechanisations is to enrich de Bruijn representation. 

The first proposed adaptation enforces an explicit and precise management 
of the A-height parameter - to the extent that it is added to operations that do 
not strictly require it. This is in fact a form of encoding ensuring a consistent 
management of the context: not only are proofs easier to conduct, but in some 
cases it also allows for finer definitions and proofs of properties that would not 
be valid in a cruder version. Context management is intuitive and don't require 
to use the full arithmetics: the only required operators on indexes are successor, 
predecessor and comparison. 



r\ L [i<E 1 ]p^[i<E 2 ]P 



r \~ E\ —E2 r _i_ Ei=E e 2 

Th [i<Ei]E=[i<E2]E 



The second adaptation introduces namespaces to parameterise binders and 
indexes. It is a way to partition variables and to easily restrict scopes. Again, the 
required adaptations of the operations are simple and intuitive, but the benefits 
are in our case important: beyond obtaining the full power of complex congruence 
results, it is a frequent cause for proof simplifications. Namespaces also define an 
approach to consider substitution and grafting as a single operation: substitution 
is emulated by grafting provided free variables are in never bound namespaces. 

We may also note that our design choice is to directly encode application as 
an external operation - i.e. a shallow representation of application in our deep 
embedding. Together, these adaptations of the de Bruijn representation seem to 
define a new form of calculus for languages, of which detailed properties are still 
to be carefully studied and compared to other calculi {e.g. [21-24]). Clearly, a 
full version of this calculus easily represents the concept of sorts, provided with 
an efficient management of contexts. 

Taking the user view, these embeddings also demonstrate that it is possible 
to embed a non trivial logic while ensuring accuracy and readability. Their use- 
fulness to check the validity of known results is illustrated by the identification 
of various oversights - in our view a sufficient justification for this activity, at 
least from a security perspective (cf. [26]). The development of proven tools and 
the derivation of non trivial theorems that were, in our knowledge, not proven 
in B (without even speaking of formally checked) are additional benefits. 
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